Request Smuggling vs Request Splitting Attack Difference Spring Boot
Both attacks have CRLF in their DNA, both abuse HTTP parsing, and both can let an attacker inject content that the server treats as legitimate. That surface-level similarity is where the resemblance ends. Request smuggling desynchronizes connection state between a reverse proxy and an upstream service, poisoning the request queue. Request splitting injects newlines into a response the application is already building, forging headers or redirects. In Spring Boot deployments they hit completely different layers, have different preconditions, and need different fixes.
How Smuggling and Splitting Actually Work
Request smuggling exploits disagreement about where one HTTP/1.1 request ends and the next begins. A reverse proxy (HAProxy, nginx, an AWS ALB) uses Content-Length to decide how many bytes belong to the first request. The backend Tomcat instance uses Transfer-Encoding: chunked instead, or vice versa. The bytes the proxy thinks are part of the body become a partial second request that Tomcat prepends to the next real user's request. That's the CL.TE variant. The TE.CL variant reverses which side gets fooled.
Request splitting (also called CRLF injection) is an application-layer bug. The application takes a user-controlled value and writes it directly into an HTTP response header or into a forwarded request without stripping carriage-return/line-feed characters. When the client (or an intermediate cache) parses the response, the injected \r\n ends the current header and starts a new one the attacker controls.









